Reasonable 🔐AppSec #31 - Five Security Articles, The next generation of threat modeling, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Hey there,

In this week’s issue of Reasonable Application Security:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: The next generation of threat modeling

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. “The big lie of millions of information security jobs”

    • Are the commonly reported figures of millions of unfilled information security jobs greatly exaggerated and not based on statistically sound data? Discuss various aspects of the information security job market, including hiring practices, the nature of available jobs, and job seekers' experiences in the field. I’ve always wondered about these numbers that folks throw around. Ben dives deep into the data.

  2. “5-Minute DevOps: The Three Wrongs”

    • There are common pitfalls in Agile and DevOps methodologies. They focus on the problems of assuming an idea's value without testing (First Wrong), misunderstandings during development due to lack of context (Second Wrong), and changing user needs (Third Wrong), and advocates for smaller, faster feedback loops, cross-functional teams, and continuous improvement to address these issues.

  3. "Stop deploying web application firewalls"

    • Don’t use Web Application Firewalls (WAFs). They have become obsolete due to their inefficiency, easy bypass by attackers, potential as an attack vector, high rate of false positives, and the availability of better security alternatives like isolation, immutability, static analysis, and capability-based security. I’ve been sharing this opinion for most of 2023.

  4. "Zero trust and threat modeling: Is it time for AppSec to get on board?"

    • Zero-trust architecture is growing in relevance in application security (AppSec) and threat modeling. We need AppSec professionals to modify existing practices to accommodate zero trust, which shifts away from traditional perimeter-based security measures to assume no implicit trust and require verification for access. The piece also outlines vital recommendations and challenges in implementing zero-trust architecture, emphasizing its benefits in uncovering new threats and demanding a deeper understanding of the protected systems.

  5. Consumer Software Security Assessment: Should We Follow NHTSA's Lead?

    • Should we establish safety and security standards for consumer software like vehicles? Would this help users make informed choices about their software and increase their control over privacy and security? I believe that vehicles and airplanes can teach us much about how to build security and privacy requirements for all product types.

Featured focus: The next generation of threat modeling

In the last year, I’ve focused on creating a new platform to enable more straightforward and effective threat modeling. I’ve focused on both the security and privacy side.

I looked at the industry before I began this journey and found a collection of tools that are expensive and challenging to use. Devici was born with the idea of solving the problem of threat modeling inside organizations large and small — providing a way for people to threat model using a tool that makes the process easier and quicker and for a cost-effective price.

Today (December 1, 2023), we launch our invitation-only public beta. As subscribers of Reasonable AppSec, I invite you to sign up for the beta personally.

The beta focuses on three primary areas: canvas, Codex, and collaboration. Think of these as the three C’s of Devici. The canvas represents our clean graphical canvas environment to create your data flow diagrams. The Codex is our collection of attributes you can assign to elements on a diagram and threats/mitigations the system will serve for you to consider. Collaboration is at the heart of what we do — we provide a way for you to create a threat model with a group of colleagues, where you can build a model together and see what everyone else is doing in real time.

Visit the devici website to sign up for the beta. We look forward to collaborating with you on the best new tool in the threat modeling space.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Dr. Jared Demott -- Cloud Security & Bug Bounty (Audio only; YouTube)

      • Dr. Jared Demott covers topics like application security opinions, managing bug bounty programs in large corporations, and the evolution of bug classes. The episode offers essential insights for those interested in software security, the realities of cybersecurity work, and the continuous challenges of bug mitigation.

  • Security Table

    • Looking Back, Looking Forward (Audio only; YouTube)

      • The gang delves into the dynamics of the security community, the role of technology, and the impact of social media on life, blending professional insights with personal experiences. The discussion covers topics such as the importance of collaboration in security, the value of mentoring, the cautious use of AI, and the influence of social media on personal well-being, concluding with a call to action for positive societal change.

  • Threat Modeling Podcast

    • A new episode, "Privacy and Threat Modeling in Practice,” is coming soon. I promise it is. I’m planning to get back to the Threat Modeling Podcast in December.

Where to find Chris? 🌎

  • The rest of 2023 — relaxing in Raleigh, NC, building new features supporting the Devici beta, and preparing for a busy 2024.

  • BSides SF, May 4-5, 2024

  • RSA, San Francisco, May 6 - 9, 2024

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.